CompTIA SecurityX (CAS-005): Complete Guide 2026
CompTIA SecurityX is the certification everyone asks about but nobody explains properly. Every guide we found either sells a boot camp or just repeats CompTIA’s marketing materials. We wanted to do better.
After 30 years in cybersecurity and having guided thousands of students through their certification journeys, I can tell you that choosing the right advanced cert is one of the highest-stakes career decisions you’ll make. Get it right and you unlock $90K–$150K+ roles. Get it wrong and you’ve spent months studying for something that doesn’t move the needle.
In this guide, we’ll cover everything you need to know about SecurityX — from exam format and domain breakdown to a week-by-week study plan, realistic salary data, and an honest assessment of whether it’s actually worth your time.
What Is CompTIA SecurityX?
CompTIA SecurityX (exam code CAS-005) is CompTIA’s expert-level securityx certification for senior cybersecurity practitioners. It validates your ability to design, implement, and manage advanced security solutions across enterprise environments.
If you’ve heard of CASP+ (CompTIA Advanced Security Practitioner), SecurityX is its replacement. CompTIA rebranded CASP+ as part of their new Expert (“Xpert”) Series in December 2024, alongside DataX and CloudNetX. The casp certification badge was automatically updated for existing holders — no re-testing required.
SecurityX sits at the top of CompTIA’s cybersecurity pathway:
Think of it this way: Security+ proves you understand security fundamentals. CySA+ proves you can analyse threats. SecurityX proves you can architect and lead an organisation’s entire security posture. It’s the difference between knowing how a firewall works and designing the network architecture that determines where firewalls go.
SecurityX Exam Details
Here’s everything you need to know about the CAS-005 exam format. No surprises on test day.
| Detail | Information |
|---|---|
| Exam code | CAS-005 (CompTIA SecurityX CAS-005) |
| Full name | CompTIA SecurityX (formerly CASP+) |
| Launch date | December 17, 2024 |
| Questions | Up to 90 (multiple-choice + performance-based) |
| Duration | 165 minutes |
| Scoring | Pass/fail (no scaled score published) |
| Exam cost | ~$512 USD |
| Testing | Pearson VUE (in-person or online) |
| Languages | English |
| Validity | 3 years |
| Renewal | 75 CEUs + $50/year CE fee |
| Accreditation | ANSI/ISO 17024 |
| DoD approval | 8140 IAT Level III, IASAE Level II |
A few things worth noting. The exam is pass/fail — CompTIA doesn’t publish the passing threshold. The performance-based questions (PBQs) are hands-on simulations where you configure firewalls, analyse logs, or troubleshoot security issues in a virtual environment. These are what separate SecurityX from easier certifications: you can’t memorise your way through them.
SecurityX Domains Breakdown
The SecurityX exam covers four domains. Here’s what each one actually means — not just the CompTIA SecurityX objectives list, but what you need to understand in practice.
Security Engineering and Cryptography (31%)
This is the largest domain and it’s where most of the new content lives. You need to understand:
- Secure DevOps and CI/CD pipelines — integrating security into automated build and deployment processes
- Post-quantum cryptography — new to CAS-005, covering lattice-based and hash-based algorithms that will resist quantum computing attacks
- Tokenisation, digital signatures, and certificate management — practical implementation, not just theory
- Legacy and specialised system security — securing SCADA, embedded systems, and IoT devices alongside modern infrastructure
Study tip: This domain requires hands-on lab work. You need to have actually configured CI/CD security scanning tools and worked with cryptographic implementations. Textbooks alone won’t cut it.
Security Architecture (27%)
The second-largest domain focuses on designing security at the enterprise level:
- Cloud security models — shared responsibility, CASB, CWPP, and securing serverless architectures
- Zero trust and SASE — new emphasis in CAS-005, covering deperimeterisation and SD-WAN
- Network segmentation and microsegmentation — designing network architectures that contain breaches
- PKI and advanced access controls — MAC, DAC, RBAC, and identity federation at enterprise scale
Study tip: If you’ve worked primarily on-premise, spend extra time on cloud security models. The exam assumes you can design for hybrid and multi-cloud environments.
Security Operations (22%)
This domain covers what security teams do day to day:
- SIEM configuration and monitoring — building baselines, creating alerts, tuning false positives
- Vulnerability management — software composition analysis (SCA), software bills of materials (SBoM), and prioritisation
- Incident response and forensics — from containment to root cause analysis, including reverse engineering
- Threat hunting — proactively searching for indicators of compromise using threat intelligence
Study tip: Set up a home SIEM (Splunk free tier or ELK stack) and practice writing detection rules. The PBQs in this domain test practical skills.
Governance, Risk, and Compliance (20%)
The smallest domain but arguably the most important for career advancement:
- Security programme documentation — policies, procedures, standards, and guidelines
- Risk management frameworks — NIST CSF, NIST RMF, ISO 27001, quantitative vs qualitative assessments
- Compliance requirements — PCI DSS, GDPR, HIPAA, and compliance-as-code (new to CAS-005)
- Threat modelling — STRIDE, ATT&CK framework, and integrating threat intelligence into risk decisions
- Third-party risk management — vendor assessments, supply chain security, and SLA enforcement
Study tip: Start your study plan with this domain. It’s the smallest by weight, builds the conceptual foundation for the other three, and gives you early momentum.
What Changed from CASP+ to SecurityX
If you’re familiar with the old CASP certification (CAS-004), here’s what’s different in SecurityX (CAS-005):
The headline changes:
- Objectives reduced from 28 to 23 — the exam is streamlined, not easier. CompTIA consolidated overlapping topics.
- AI and machine learning added — SecurityX now covers AI threat modelling, a topic that barely existed when CASP+ launched.
- Post-quantum cryptography — entirely new. CASP+ covered traditional crypto only.
- Zero trust and SASE — elevated from a mention to a core architectural concept.
- Compliance-as-code — automated compliance checking integrated into DevOps pipelines.
- Cloud-native focus — CASP+ assumed traditional infrastructure. SecurityX assumes cloud-native and hybrid environments.
The shift reflects where enterprise security has moved. If you passed CASP+ CAS-004, your certification was automatically updated to SecurityX — but the knowledge gap between CAS-004 and CAS-005 is real. I’d recommend reviewing the new topics even if you don’t need to re-test.
CASP+ CAS-004 was retired on June 17, 2025. SecurityX CAS-005 launched on December 17, 2024.
Who Should Get SecurityX?
This is probably the most important section in this guide, because the wrong certification at the wrong time is worse than no certification at all.
SecurityX is right for you if:
- You have 5+ years of hands-on security experience (ideally 10+)
- You want to stay technical — designing and implementing solutions, not managing teams
- You work in (or want to work in) government or defence contracting (DoD 8140 requirement)
- You’re a Security+ holder looking to demonstrate expert-level technical depth
- You’re in a senior security engineer, architect, or consultant role
SecurityX is NOT right for you if:
- You have fewer than 3 years of security experience — take CySA+ first
- You want to move into security management or CISO roles — CISSP is better for that
- You’re looking for an entry-level cert — start with Security+ (SY0-701)
- You’re primarily in GRC and don’t do hands-on technical work — consider CISM instead
The most common mistake we see is people skipping CySA+ and jumping straight to SecurityX with only 2–3 years of experience. They fail the exam because the PBQs assume you’ve actually done the work, not just studied the theory. If you’re not sure, here’s the decision: can you configure a SIEM, write firewall rules, and troubleshoot PKI issues from memory? If yes, go SecurityX. If no, build those skills first.
SecurityX Prerequisites and Experience
CompTIA lists the following recommendations (not enforced requirements):
- 10 years of general IT experience
- 5 years of hands-on security experience
- Knowledge equivalent to Network+, Security+, CySA+, Cloud+, and PenTest+
The word “recommended” is important here. Unlike CISSP (which requires verified work experience), CompTIA doesn’t check your background before you sit the exam. You could technically take it on day one of your career.
But should you? Probably not. The exam is designed for people who have lived these scenarios. When a PBQ asks you to configure network segmentation for a cloud-hybrid environment, it expects you to draw on real experience — not a textbook answer. Most people who pass with fewer than 5 years of experience compensate with intensive lab work and multiple other certifications.
If you’re coming from a military or government background, your operational experience counts. Many DoD professionals successfully pass SecurityX with 5–7 years of relevant experience because their day-to-day work maps directly to the exam objectives.
SecurityX Career Paths and Salary
SecurityX unlocks senior technical roles. Here’s what the salary data actually shows (sources: Payscale, ZipRecruiter, BLS, verified 2026):
| Role | Salary Range | SecurityX Value |
|---|---|---|
| Security Architect | $120K–$180K+ | Core qualification — many job postings list it |
| Senior Security Engineer | $110K–$160K+ | Differentiator from Security+ holders |
| SOC Manager | $100K–$145K+ | Proves technical depth alongside leadership |
| Security Consultant | $95K–$155K+ | Client-facing credibility |
| Cloud Security Engineer | $115K–$170K+ | New cloud security content maps directly |
| GRC/Compliance Lead | $95K–$140K+ | GRC domain covers frameworks in depth |
The average salary for SecurityX holders is approximately $105,000 per year (Payscale). But averages are misleading — the range depends heavily on role, location, and whether you’re in the private sector or government.
DoD 8140 — Why Government Cares
SecurityX is approved under DoD 8140 (which replaced DoD 8570) for IAT Level III and IASAE Level II positions. In practice, this means:
- If you want to work for the US Department of Defence or any defence contractor, you likely need a certification at this level
- SecurityX and CISSP are the two most common choices for these requirements
- SecurityX is preferred when the role is hands-on technical; CISSP when it’s management
This DoD approval is one of the strongest practical reasons to choose SecurityX. No amount of experience replaces a certification when it’s a checkbox requirement for your security clearance.
How to Study for SecurityX: Complete Plan
Every competitor site we reviewed said “use CertMaster” and left it at that. Here’s an actual 12-week SecurityX study guide with a domain-by-domain approach.
Weeks 1–3: Governance, Risk, and Compliance (20%)
Start here. GRC is the smallest domain but builds the conceptual foundation for everything else. Focus on:
- NIST Cybersecurity Framework (CSF) and Risk Management Framework (RMF)
- ISO 27001/27002 structure and controls
- Quantitative vs qualitative risk assessment methods
- Threat modelling with STRIDE and MITRE ATT&CK
- Third-party risk management and vendor assessments
Lab work: Download the NIST CSF and RMF documents. Map a fictional organisation’s security programme to both frameworks. This exercise appears in PBQs.
Weeks 4–6: Security Architecture (27%)
Build on your GRC knowledge by designing the architecture that implements those policies:
- Cloud security reference architectures (AWS, Azure, GCP shared responsibility models)
- Zero trust architecture — not just the concept, but how to implement it with SASE and SD-WAN
- Network segmentation and microsegmentation design
- PKI deployment, certificate lifecycle management, and identity federation
- Secure application architecture and API security
Lab work: Set up a home lab with segmented networks using VLANs. Configure a PKI with a root CA and subordinate CA. Practice designing a zero trust network on paper.
Weeks 7–9: Security Engineering and Cryptography (31%)
The largest domain. Spend extra time here:
- Secure DevOps — integrate SAST, DAST, and SCA tools into a CI/CD pipeline
- Cryptographic implementations — TLS configuration, certificate pinning, key management
- Post-quantum cryptography concepts (lattice-based, hash-based algorithms)
- Legacy system hardening — securing systems that can’t be patched or replaced
- AI/ML security controls (new to CAS-005)
Lab work: Set up a Jenkins or GitLab CI pipeline with security scanning (Snyk, SonarQube). Configure TLS with proper cipher suites. Practice with Kali Linux tools.
Weeks 10–12: Security Operations + Review (22%)
Final stretch. Focus on operations and then intensive exam prep:
- SIEM deployment and tuning (Splunk, ELK, or similar)
- Incident response playbooks — write one from scratch
- Threat hunting with IoC frameworks
- Digital forensics fundamentals — memory analysis, disk forensics, metadata
- Weeks 11–12: Full-length practice exams, review weak areas, PBQ drills
Lab work: Install Splunk free tier, ingest Windows event logs, and write detection rules for common attack patterns. Practice incident response scenarios.
Total estimated study time: 120–180 hours (10–15 hours per week).
Best SecurityX Study Resources
Here’s what we recommend for your CompTIA SecurityX study guide toolkit. We’ve included free, affordable, and premium options.
Official CompTIA Resources
- Exam objectives PDF — Free from comptia.org. Read this first. Every exam question maps to a specific objective.
- CertMaster Learn — CompTIA’s official study platform with lessons and assessments
- CertMaster Practice — Adaptive practice questions aligned to exam objectives
- CertMaster Labs — Hands-on virtual labs for PBQ preparation
Books
- Packt “SecurityX CAS-005 Certification Guide” (2nd edition) — ~$25. Best budget option. Covers all four domains with practice questions. Available on Amazon.
- Sybex/Wiley CASP+ Study Guide — While titled for CASP+, the CAS-005 edition covers SecurityX objectives
Online Courses
- Jason Dion / Dion Training — Highly rated SecurityX course with practice exams
- Cybrary — Lessons, labs, and practice exams in one platform
- uCertify — Interactive learning with embedded labs
Boot Camps (Premium)
- Infosec Institute — 5-day SecurityX boot camp (~$3,399). Intensive but effective for structured learners.
- Training Camp — DoD-approved provider with a claimed 94% pass rate
Hands-On Labs (Free/Low-Cost)
- TryHackMe — Guided rooms for network security, SIEM, and incident response
- HackTheBox — More advanced challenges for experienced practitioners
- Splunk Free — Set up a home SIEM for Security Operations practice
- VulnHub — Downloadable vulnerable VMs for forensics and threat hunting practice
- Kali Linux — Essential for Security Engineering PBQ preparation
Community
- r/CompTIA — Active Reddit community with SecurityX study groups and exam experience reports
- CompTIA CertMaster Community — Official forums for exam discussion
SecurityX vs CISSP vs CISM vs CCSP
At the expert level, you’re typically choosing between four certifications. Here’s how they compare — and the comparison goes beyond what you’ll find in our detailed SecurityX vs CISSP comparison.
| SecurityX | CISSP | CISM | CCSP | |
|---|---|---|---|---|
| Provider | CompTIA | ISC2 | ISACA | ISC2 |
| Focus | Hands-on technical | Security management | Security governance | Cloud security |
| Experience | 10 yrs IT (recommended) | 5 yrs security (required) | 5 yrs IS mgmt (required) | 5 yrs IT incl. 1 yr cloud |
| Exam cost | ~$512 | $749 | $575–$760 | $599 |
| Renewal | 75 CEUs / 3 yrs | 40 CPEs / year | 20 CPEs / year | 30 CPEs / year |
| Best for | Senior engineers, architects | Managers, CISOs | GRC and compliance leads | Cloud security architects |
| Salary range | $90K–$150K+ | $120K–$180K+ | $110K–$165K+ | $100K–$160K+ |
| DoD approved | Yes (8140) | Yes (8140) | Yes (8140) | No |
SecurityX (CompTIA)
Focus: Hands-on technical
Experience: 10 yrs IT recommended
Cost: ~$512
Renewal: 75 CEUs / 3 yrs
Best for: Senior engineers, architects
Salary: $90K–$150K+
DoD: Yes (8140)
CISSP (ISC2)
Focus: Security management
Experience: 5 yrs security required
Cost: $749
Renewal: 40 CPEs / year
Best for: Managers, CISOs
Salary: $120K–$180K+
DoD: Yes (8140)
CISM (ISACA)
Focus: Security governance
Experience: 5 yrs IS mgmt required
Cost: $575–$760
Renewal: 20 CPEs / year
Best for: GRC and compliance leads
Salary: $110K–$165K+
DoD: Yes (8140)
CCSP (ISC2)
Focus: Cloud security
Experience: 5 yrs IT incl. 1 yr cloud
Cost: $599
Renewal: 30 CPEs / year
Best for: Cloud security architects
Salary: $100K–$160K+
DoD: No
The key distinction: SecurityX and CISSP are not competing certifications — they serve different career trajectories. SecurityX is for people who want to stay hands-on. CISSP is for people who want to lead. Many senior professionals hold both.
CISM is the GRC/governance equivalent at the management level. CCSP is the specialist choice if your career is specifically in cloud security architecture.
Total Cost to Get and Maintain SecurityX
Nobody talks about the total cost of a certification. Here’s the full picture:
Getting Certified
| Item | Cost |
|---|---|
| Exam voucher (save with StationX) | ~$512 |
| Study guide/book | $25–$200 |
| Practice exams | $50–$100 |
| Boot camp (optional) | $0–$3,399 |
| Total | $587–$4,211 |
Most self-study candidates spend $600–$900 total. The boot camp is optional and most expensive — it’s worth it if you need structured learning and accountability, but plenty of people pass without one.
Staying Certified (Per 3-Year Cycle)
| Item | Cost |
|---|---|
| CE fee ($50/year × 3) | $150 |
| CEU activities (75 required) | $0–$500 |
| Total per cycle | $150–$650 |
CEUs can be earned for free through work experience, conference attendance, and self-study. Many employers cover both the CE fee and conference costs, making renewal essentially free for employed professionals.
Is SecurityX Worth It?
Here’s my honest assessment after three decades in this industry.
Yes, SecurityX is worth it if:
- You’re targeting DoD/government roles where it’s a requirement, not a nice-to-have
- You’re a senior engineer who wants a vendor-neutral advanced certification (SecurityX is the only one at this level from CompTIA)
- You’re already in the CompTIA ecosystem (Security+ → CySA+ → SecurityX is a natural progression)
- Your employer pays for it — the ROI is obvious when the cost is zero to you
It’s probably not worth it if:
- You’re choosing between SecurityX and CISSP and you want management roles — CISSP wins for career breadth
- You’re early in your career — the market recognises Security+ and CySA+ at your level, and SecurityX won’t get you hired faster than those
- You’re in a market where CISSP is the default requirement — in the UK, Europe, and much of Asia, hiring managers know CISSP but may not recognise SecurityX
- You’re self-funding and budget is tight — the $600–$900 might be better spent on CISSP if you can only do one
The uncomfortable truth is that SecurityX has less name recognition than CISSP outside the US government sector. CISSP opens more doors globally. But within its niche — hands-on senior technical roles, DoD work, and CompTIA-aligned employers — SecurityX is the strongest credential you can hold.
My recommendation: if you’re a technical practitioner who wants to stay technical, and especially if you’re in or adjacent to the US government sector, SecurityX is absolutely worth the investment. If you’re unsure between SecurityX and CISSP, read our detailed SecurityX vs CISSP comparison.
And regardless of which certification you pursue, StationX’s Master’s Program gives you access to 30,000+ courses including comprehensive Security+ and advanced security training to build the foundation you need. It also comes with a 100% job guarantee, 1:1 mentorship, and done-for-you resume services — everything you need to actually land the roles these certifications qualify you for.
Frequently Asked Questions
Is CompTIA SecurityX the same as CASP+?
Yes. SecurityX (CAS-005) is the rebranded and updated version of CASP+ (CAS-004). CompTIA renamed it as part of their Expert (Xpert) Series. If you held CASP+, your badge was automatically updated to SecurityX — no re-testing required.
How hard is the SecurityX exam?
SecurityX is considered one of CompTIA’s most difficult exams. It targets senior practitioners with 10+ years of IT experience. The performance-based questions (PBQs) require hands-on skills, not just theoretical knowledge. CompTIA doesn’t publish pass rates, but boot camp providers report around 94% for trained candidates.
Do I need CASP+ before taking SecurityX?
No. CASP+ (CAS-004) was retired in June 2025. SecurityX (CAS-005) replaced it entirely. You take SecurityX directly — there’s no prerequisite certification, though CompTIA recommends Security+ knowledge and 10 years of IT experience.
Is SecurityX better than CISSP?
They serve different purposes. SecurityX validates hands-on technical skills for practitioners who design and implement security solutions. CISSP validates broad security management knowledge for people leading security programmes. If you want to stay technical, SecurityX. If you want to manage teams and strategy, CISSP.
How much does SecurityX cost?
The SecurityX exam costs approximately $512 USD. Total cost including study materials typically ranges from $600–$900 for self-study, or up to $4,200 if you include a boot camp. Renewal costs $50 per year ($150 over a 3-year cycle) plus 75 CEUs.
Does SecurityX meet DoD 8140 requirements?
Yes. SecurityX is approved under DoD 8140 (the successor to DoD 8570) for IAT Level III and IASAE Level II categories. This makes it essential for government and defence contractor roles requiring advanced security clearance.
Can I take SecurityX without 10 years of experience?
Technically yes — CompTIA doesn’t enforce the experience requirement. However, the exam assumes deep practical knowledge. Most people who pass without 10 years of experience have intensive hands-on security work and additional certifications like Security+ and CySA+.
How do I renew SecurityX?
SecurityX must be renewed every three years. You need 75 Continuing Education Units (CEUs) and must pay $50 per year in CE fees ($150 total per cycle). CEUs can be earned through training courses, conferences, publications, and work experience.
About the Author
Nathan House, StationX
Nathan House is a cybersecurity expert with 30 years of hands-on experience. He holds OSCP, CISSP, and CEH certifications, has secured £71 billion in UK mobile banking transactions, and has worked with clients including Microsoft, Cisco, BP, Vodafone, and VISA. Named Cyber Security Educator of the Year 2020 and a UK Top 25 Security Influencer 2025, Nathan is a featured expert on CNN, Fox News, and NBC. He founded StationX, which has trained over 500,000 students in cybersecurity.
